GNSC Blog

No I am not talking about visiting caves.  Splunking is the process of using a product called Splunk.  It’s a security search engine that allows you to view log information from various sources such as firewalls, servers, and other network devices and report on them.  Think of it as as Google for IT stuff.  Beyond the functionality, which is excellent, the really nice thing about this product is that it’s open source meaning it’s essentially free to use, if you don’t want any professional advice or support and you are not pumping tons of data into it.

This 2 minute video give you all the information you need to get started.

How does it work?

Splunk like Google needs data to work.  Google’s strength is that it can not only search through tons of data but it can correlate it, making some assumptions in terms of what should be displayed and in what order.  Splunk works much the same way.  It uses data generated from virtually any networked computer device and then allows you to search for things that are important, such as signs of potential or known problems.  By default it can gather information from Event Logs automatically, syslogs, file shares and with a growing list of plug-in’s can read data from other sources.

So how does it benefit the average company?

Splunk is a framework that can make sense of data.  In it’s simplest form, it can show you on one page the condition of a system, security information, change controls, web page stats, etc. 

If you’re looking for a way to easily report on the IT log data you already have you should look at Splunk.

Info Security Magazine recently sponsored a great online presentation addressing issues of Web 2.0 and the issues surrounding Social Network sites such as MySpace, FaceBook and LinkedIn.

If you are interested in learning about the issues surrounding Web 2.0, Generation V and Social Networking, this is a great place to start.

I work with Chris Pruetz who does the technical presentation.

You can register for it here.  Its archived so you can attend at a time that best fits your schedule.

Very informative.  Highly recommended.

If you are interested in learning more about the solution they recommend from Marshal Inc, please visit our website at www.gnscon.com

A financial analyst for Countrywide Home Financial, the troubled mortgage lender reportedly stole over 20,000 customer profiles per week for about two years.    The data was stolen on USB drives. Although Countrywide had technology in place to disable flash drives on employee computers, the analyst used a PC where the protection was not installed.

The moral of the story is that if you are going to install security software on every PC except one or two, you might has well not install it at all.  People talk. Someone will spill the beans and when one person knows, everyone knows.

One of the things we highly recommend is using USB policy management on ALL PC’s.  There are two general ways to approach this problem,.  The simplest is to disable all USB drives.  The second more flexible approach is to force high encryption on all USB drives that renders the USB drive unusable unless it is plugged into a company computer.  Both methods work well but if and only if they are applied uniformly across all PC’s including Laptops.

PromiSEC’s Spectator is an excellent solution for not only preventing this type of situation but also for enforcing and monitoring software compliance, and anti-virus updates.  It provides the facility to ensure there are no exceptions, without the local installation of agent software.

The IT security firm Kaspersky, reported today that it has discovered a malicious mini-site on Twitter. (NOTE: this link does not open to the malicious site)  Twitter is a popular social networking site, similar to MySpace or FaceBook but it’s format is short messaging, not detailed blogging. 

The site supposedly lures readers to download the latest version of Adobe Flash Player but really downloads software that steals information from your computer such as Login ID’s and passwords.

Four things are important to note here.

1. Many people are trusting of these sites since the goal is to create social networks.  Openness is their key to success and the source of their real danger.  FaceBook and MySpace have already been booby-trapped in similar ways.
2. If you are asked to download anything from a site other than the actual software vendor’s site (in this case Adobe), don’t do it.  If you get a note that your Flash player (or any other software for that matter) needs to be upgraded, don’t take the note as real. Close the dialog box and go directly to the vendor’s site and check the situation there.  If the vendor site says your software is up to date, there is a very high likelihood that the note you saw was a scam to exploit your computer.
3. Twitter and other social networking sites are not just popular with teens and college students.  Your employees are using them as well.  So realize this is not just a threat to your home computer, but your office ones as well.  Look at your web filtering reports for these sites.  Many web filters will categorize them automatically in your report.
4. This is a daily reminder of the need to keep your anti-virus and anti-malware programs up to date and why all downloads should be carefully screened. 

Ever use iGoogle? I do and I love it.  It’s as close as you can get to a personalized home page without having to know web code. However, the platform is about to be rocked by a presentation this week at Black Hat, the annual hacker conference.

According to Yahoo News, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets. What this means is that they are going to announce that knowledgeable web coders will be able to inject malware into your PC, possibly beyond the realm of traditional detection with antivirus and malware protection.

So if you’re an “iGoogle-Google-Gadget-User” what do you do? 

1. The first thing is to educate your users about the dangers of installing unknown software.  This is a good practice no matter what.
2. Watch what comes out of BlackHat 2008.  Follow the mainstream IT Security bloggers as they summarize the presentations.  I’ll post more on this as it gets closer. 
3. If in your opinion the risk of iGoogle malware outweights the benefits, use your webfilter to block it.  Or block the installation of Google Gadgets.   You can still get all the benefits of Google.

Bill Brenner from CSO Magazine recently wrote the following:

“In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

The moral of the story…If you’re in charge of security at your company, whether you have 5 employees or 5000, you should have a documented best practices policy and procedures manual that is audited for compliance.  Your job is at risk as the precident has already been established.

Best practices are free.   You just need to follow them.  What are they?  Well a good place to start is the SANS Institute  www.sans.org.  This group puts out quality material, much of it available to the general public.  They have some good starter guides if you want to get started with best practices.

Also, the NIST Manual from our July 23 posting is another good manual with good measurement metrics.

You can also use security comsultants with CISSP or GIA certifications to help establish and audit them.

Phishing kits, which include the tools necessary to duplicate common websites along with the scripts to steal information submitted by phishing victims are widely available on the Internet but they are boobytrapped.

About 40% of these so called ”kits” are designed to steal whatever information the phishers catch and then send the info back to the makers of the “kits”.

It appears now that phishers are using Darwinian principles to become richer: big fish eating little phish with only the strongest surviving.

How can you avoid being a victim of phishing?  Norman Data Defense suggests three reasons why people are fooled into this:

1. Lack of Knowlege - most people are unaware of the risk
2. Visual Deception - most phishing sites or emails look official
3. Lack of Attention to Security Indicators - we don’t pay attention to the little “lock icons” on our browsers or warnings on SSL Certs

What should you do?

Use these three categories above when you visit a site, even if you type it in your browser yourself. 

1. Remember you can be duped easily by a slip of the finger.  Check your spelling.  Another form of trickery through browser redirection and a DNS exploit can make something phoney look real.
2. Know your site.  If you frequent sites and they’ve changed or look different, check it out first.  Don’t just assume it’s a new layout.  Sometimes this can be a clue something’s wrong. 
3. Don’t just buy from anyone on the Internet.  Just because they have the best price, doesn’t mean they’re the best.  If some item is priced way lower than everyone else, you should be suspicious.   Only buy from reputable companies you know.  A quick check of a website is a dead giveaway.  If the company lists no street or mailing address but only an email address or webform in the Contact Us section, stay away.
4. Never visit an ecommerce or banking site with a SSL Cert, that’s invalid.  Companies with certs keep them updated and valid.  Sometimes they legitimately expire unknowingly.  Just call the company to tell them an ask what’s up.  Chances are they’ve received other calls about it.  If not, you’re helping them out.
5. Look for the lock on your browser when an SSL session is established.  Get familiar with the Cert.  You can find out quite a bit of info from that little lock icon. 
6. If something smells “phishy” don’t eat it.  Call the company and ask what’s up. 
7. Finally, and not to be a commercial for PayPal, use PayPal whenever you can as long as it’s really PayPal and not a Phisher.  With real PayPal, if someone scams you on a purchase, they get you once.  If you give your credit card, they have your number and can run it up.